Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks to steal Microsoft 365, Fedex and Docusign credentials.
Open redirect occurs when a website provides a URL which direct to another URL, and it fails to validate user input, allowing attackers to redirect victims to malicious sites. Victims will trust the link, because the first domain name in the manipulated link is a trusted domain, such as American Express or Snapchat. An example of such URL is https://safe.com/redirect?url=https://malicious.com.
“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” says a post published in August 2022 by Inky.
During a two-and-a-half-month period, INKY engineers detected the snapchat[.]com open redirect vulnerability in 6,812 phishing emails originating from various hijacked accounts.
Open Bug Bounty reported the Snapchat vulnerability to the company on Aug. 4, 2021. However, it remains unpatched.
American Express quickly fixed the issue in late July 2022.
When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.
Web sites owners should allow redirects to go only back to their web site.
Read more about it here.